Current Campaign Delivers Hundreds of Thousands of Polymorphic Ransomware

You might have been getting out of bed when attackers started sending hundreds of thousands of fake invoices the morning of April 27. Between 5:45 am and 11 am Pacific time, the first phase of the operation was steamrolling along. The invoices sent with fake .rtf files attached were in no way legitimate.

In McAfee Messaging Security we can measure campaign volumes and sender-recipient metadata, in addition to the spam content itself. The polymorphic attributes of this campaign led to some big numbers in just a few hours, including:

180,000+ messages

17,193 unique subjects

19,649 unique senders

6,595 sending IPs

Looking at the campaign hour by hour, we can see the attackers started sending from a large number of IP addresses and that number diminished over time (as we see in the following graph). Closer investigation of these IPs reveals a small number of From addresses from the same domain, each from a single IP. This suggests that they used the infected accounts’ identity to send through each computer’s designated outbound message transfer agent. The sending server used its legitimate hostname during the HELO phase of the SMTP conversation.

The campaign used subjects such as “Firstname Lastname” and widely varying attachment name patterns that appeared to be .rtf’s but were really .docx files. The sender employed a decent amount of trickery. Sample filenames:

00066_9101–u.rtf

000-741w…rtf

0007-45869cgoowc.rtf

0007696812…m.rtf

00079735g-.rtf

0008-29583_p-k.rtf

00087.54940-w_c.rtf

The senders wanted victims to think this was a legitimate invoice and only a brief message. Short and sweet is the new way for spammers. The more information they give, the more questions arise. Just by adding a company name to an invoice, an attentive individual in the billing department might question a message’s legitimacy.

When opened, the attachment instructs the user to enable macros.

If macros are enabled, the file drops and executes a VBScript file that in turn creates a copy of itself to the appdata directory: %appdata%\Roaming\<4-5 digit filename>.vbs. The file tries to download and execute files from a connecting website. This is where the encrypted malware payload, related to Cerber ransomware, waits.

These campaigns have persisted from late April into May. Our analysis of the overlap of IP addresses across three unique campaigns reveals that nearly 50% of sending IPs (3,327 total) were reused across all three days.

Separate IPs in use on certain days:

April 27: 6,656

May 3: 7,311

May 4: 8,035

These campaigns have primarily targeted recipients in the United States, with the majority of spam destined for .com domains.

Based on our customers’ traffic, .rtf attachments are very rarely sent in emails. You should investigate whether your environment needs to receive these types of files. If you have no reason to receive them, allowing these attachments by default could be a security risk. Your email gateway can block obscure file extensions. Because this campaign is polymorphic, creating specific rules that are effective will be short lived, lasting maybe a week before the subject and attachment patterns change.

We saw this campaign change focus on May 5, as the filename extension became .dot. Our advice is the same for these files: If they are is not needed in your environment, then allowing them may be a security risk.

Ransomware has dominated headlines with attacks on healthcare organizations and the financial sector. The success of these attacks ensures they will continue for the foreseeable future. For an overview on ransomware, read this post by my colleague Bruce Snell. McAfee will keep pace with this evolving threat.

Thanks to my colleagues Armando Rodriguez, Jr. and Mark Olea for their help with this analysis.